For far too long, the cybersecurity industry has primarily focused on protecting the largest organizations from sophisticated and constantly evolving cyberattacks. While extremely important, this narrow focus has come at the expense of smaller or midsize organizations that don't have the same resources but also must protect themselves against the same sophisticated adversaries.
In the private sector, this includes organizations that are the backbone of our economy, from regional banks and credit unions to hospitals, law firms, manufacturers, and more.
In the public sector, there are countless state, local, tribal, and territorial (SLTT) government agencies that simply don't get the same funding and resources for cybersecurity as higher-profile areas of government.
As Dark Reading reported this spring, the US Cybersecurity and Infrastructure Security Agency (CISA) is starting to recognize this imbalance and put more effort into helping these "cyber poor" organizations.
Where to Start
As someone who works with small to midsize agencies and organizations daily, here are five recommendations for CISA on where to start.
1. Streamline Membership and Access to ISACs
Information Sharing and Analysis Centers (ISACs) were introduced in May 1998 by Presidential Decision Directive-63 and have not effectively evolved to deal with today's cyber landscape.
ISAC membership is currently expensive, gated, and often excludes cost-effective partnerships with software, services, and infrastructure providers that put it out of reach for the average small and midsize business or SLTT government agency.
CISA needs to help streamline membership and access to ISACs and could do so by implementing grants that enable broader access to these critical information security resources.
2. Expand Use of Albert Sensors
Albert sensors (PDF) are intrusion-detection systems funded by CISA designed for use in state and local government organizations and are deployed nationally. There are currently more than 800 Albert sensors generating more than 250,000 alerts annually, and through working with SLTT organizations in my current role, I've seen firsthand the benefits they have in identifying and containing breaches and securing networks.
While 800 sensors are a good start, there should be more effort and funding to place these critical assets at the SLTT level. There should also be an effort to expand Albert sensors beyond SLTT through public-private partnerships. CISA should work on reviewing existing authorities or petition for legislation that would enable it to fund and deploy Albert sensors to willing service provider networks and all ISACs.
CISA should also provide for easier integration of Albert sensor data into external security products as part of its supported defense-in-depth and wholistic view guidelines by partnering with systems integrators, similar to how the National Security Agency (NSA) has partnered with the National Information Assurance Partnership (NIAP) CC-EVS and its Commercial Solutions for Classified (CSfC) programs.
Albert sensors gives us the tools to better defend US networks and business — they just lack deployment and proper management. If we had that, they could act like a cyber early-warning system, similar to those seen and deployed for US-bound ballistic missile threats.
3. Improve Information and Intelligence Sharing with MSPs and MSSPs
Small and midsize organizations compete for cybersecurity talent with large enterprises and government agencies, and it's not a fair fight.
Since there aren't enough qualified professionals to meet everyone's needs, we must look for ways to amplify the resources that are available.
Empowering managed service providers (MSPs) and managed security service providers (MSSPs) is critical to scaling the nation's cyber capabilities. To help, CISA could work on streamlining data and threat distribution to these organizations.
4. Create a Better Portal and Standard Interface for Two-Way Intelligence Sharing
Current CISA intelligence distribution is mainly limited to its Automated Indicator Sharing (AIS) system, which was created to facilitate real-time sharing of cyber-threat indicators (CTIs) between the federal government and the private sector. But the ad hoc release of advisories is infrequent compared with the quickly evolving threat landscape.
In addition, AIS allows participants to send and receive CTI in a machine-readable format, but the systems are too complicated for small and midsize businesses. Without third-party integrators, they can't meet technical requirements for accessing AIS or effectively applying the data to their cyber defenses.
CISA needs to provide clear and low-cost ways for small businesses (SMBs) to integrate their AIS intelligence as most US businesses haven't heard of or do not use this critical defense resource. CISA's Stakeholder Engagement Division, working with its Cybersecurity Division, needs to be given a charge to work more closely with SMBs and provide direct contact resources for specific industry sectors and regions.
5. Lobby for Stricter Incident-Reporting Requirements
CISA and other government entities can't help defend or alert potential victims to activity they don't know about.
Some industries are required to report specific cybersecurity incidents because of regulations such as HIPAA in healthcare and rules imposed by the SEC, FDIC, or other bodies in finance. But regulations like these are far from universal and existing oversight doesn't apply to many small and midsize organizations.
CISA and the executive branch should lobby Congress for legislation mandating the reporting of cyber incidents across industries and business sizes. Even without a mandate, CISA needs a better pathway for organizations to share the details of attacks and exposures. Knowing what's affecting midsize organizations will give CISA greater power to help protect them.
By adopting any or all five of these recommendations, CISA could become the guiding light for small and midsize organizations and local governments that must tackle questions about network security and the safety of their data.